[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netconf Rbac draft

To: cridligv@loria.fr
Subject: Re: Netconf Rbac draft
From: Balazs Lengyel <balazs.lengyel@ericsson.com>
Date: Thu, 30 Nov 2006 16:40:33 +0100
Cc: netconf@ops.ietf.org
In-reply-to: <1164888488.456ec9a8647d6@www.loria.fr>
References: <45656072.5020305@ericsson.com> <1164888488.456ec9a8647d6@www.loria.fr>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Hello Vincent,

What you propose is fine, but I foresee a big number of actions (let's say 100). Definingpermission for each separately is quite a task. Also ericsson and at least Tail-f have actionsdefined in the data model.

For this reason I believe each action should have an access control propertyreadOnly/mightChangeConfiguration/mightDisturbTraffic which tells you how dangerous the actionis. After this it would be easy to say things like:

- Junior operator has readOnly accesss to the whole configuration

- performance manager operator has full read rights, write rights to thetop/performanceManagement subtree, but no disturbTraffic rights

- superuser has full rights to everything.

I chose the readOnly/mightChangeConfiguration/mightDisturbTraffic options as these are thethings that are really interesting for the operator although one might argue aboutdisturbTaffic. On the other hand I feel the operator does not care if we update an attribute orcreate a new one. For him it is the same: you made a configuration change that potentiallymight have long term effects.


regards Balazs

cridligv@loria.fr wrote:

Hi Balazs,

Sorry for the long delay...

We could add a new attribute value lixe 'x' for the operations:
<permission id="1" op="x">
  <kill/>
</permission>

OR

<permission id="1" op="kill"/>

where kill can be replaced with lock, unlock, and so on.

I prefer the second version.

Regards,
Vincent


Selon Balazs Lengyel <balazs.lengyel@ericsson.com>:

Hello Vincent,
I recently read your netconf RBAC draft. I have one question: How would you
control
actions other then the standard get/edit/copy/delete?
I am interested both in standard "actions" like kill, lock, unlock and
possible
proprietary ones like ping, restart, etc.
Balazs


--
Balazs Lengyel                       Ericsson Hungary Ltd.
TSP System Manager
ECN: 831 7320                        Fax: +36 1 4377792
Tel: +36-1-437-7320     email: Balazs.Lengyel@ericsson.com

--
to unsubscribe send a message to netconf-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/netconf/>

References:
- Netconf Rbac draft
  - From: Balazs Lengyel <balazs.lengyel@ericsson.com>

Prev by Date: Re: [Fwd: Re: impending publication of the NETCONF BEEP mapping - one final concern]
Next by Date: NETCONF over TLS
Previous by thread: Netconf Rbac draft
Next by thread: FW: I-D ACTION:draft-cridlig-netconf-rbac-00.txt
Index(es):
- Date
- Thread